From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 05/32] memory: avoid "resurrection" of dead FlatViews
Date: Fri, 22 Sep 2017 01:16:13 +0200 [thread overview]
Message-ID: <1506035800-30509-6-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1506035800-30509-1-git-send-email-pbonzini@redhat.com>
It's possible for address_space_get_flatview() as it currently stands
to cause a use-after-free for the returned FlatView, if the reference
count is incremented after the FlatView has been replaced by a writer:
thread 1 thread 2 RCU thread
-------------------------------------------------------------
rcu_read_lock
read as->current_map
set as->current_map
flatview_unref
'--> call_rcu
flatview_ref
[ref=1]
rcu_read_unlock
flatview_destroy
<badness>
Since FlatViews are not updated very often, we can just detect the
situation using a new atomic op atomic_fetch_inc_nonzero, similar to
Linux's atomic_inc_not_zero, which performs the refcount increment only if
it hasn't already hit zero. This is similar to Linux commit de09a9771a53
("CRED: Fix get_task_cred() and task_state() to not resurrect dead
credentials", 2010-07-29).
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
docs/devel/atomics.txt | 1 +
include/qemu/atomic.h | 8 ++++++++
memory.c | 12 ++++++++----
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/docs/devel/atomics.txt b/docs/devel/atomics.txt
index 048e5f2..10c5fa3 100644
--- a/docs/devel/atomics.txt
+++ b/docs/devel/atomics.txt
@@ -64,6 +64,7 @@ operations:
typeof(*ptr) atomic_fetch_and(ptr, val)
typeof(*ptr) atomic_fetch_or(ptr, val)
typeof(*ptr) atomic_fetch_xor(ptr, val)
+ typeof(*ptr) atomic_fetch_inc_nonzero(ptr)
typeof(*ptr) atomic_xchg(ptr, val)
typeof(*ptr) atomic_cmpxchg(ptr, old, new)
diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
index b6b62fb..d73c9e1 100644
--- a/include/qemu/atomic.h
+++ b/include/qemu/atomic.h
@@ -442,4 +442,12 @@
} while(0)
#endif
+#define atomic_fetch_inc_nonzero(ptr) ({ \
+ typeof_strip_qual(*ptr) _oldn = atomic_read(ptr); \
+ while (_oldn && atomic_cmpxchg(ptr, _oldn, _oldn + 1) != _oldn) { \
+ _oldn = atomic_read(ptr); \
+ } \
+ _oldn; \
+})
+
#endif /* QEMU_ATOMIC_H */
diff --git a/memory.c b/memory.c
index 2b90117..51f54ab 100644
--- a/memory.c
+++ b/memory.c
@@ -294,9 +294,9 @@ static void flatview_destroy(FlatView *view)
g_free(view);
}
-static void flatview_ref(FlatView *view)
+static bool flatview_ref(FlatView *view)
{
- atomic_inc(&view->ref);
+ return atomic_fetch_inc_nonzero(&view->ref) > 0;
}
static void flatview_unref(FlatView *view)
@@ -773,8 +773,12 @@ static FlatView *address_space_get_flatview(AddressSpace *as)
FlatView *view;
rcu_read_lock();
- view = atomic_rcu_read(&as->current_map);
- flatview_ref(view);
+ do {
+ view = atomic_rcu_read(&as->current_map);
+ /* If somebody has replaced as->current_map concurrently,
+ * flatview_ref returns false.
+ */
+ } while (!flatview_ref(view));
rcu_read_unlock();
return view;
}
--
1.8.3.1
next prev parent reply other threads:[~2017-09-21 23:16 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-21 23:16 [Qemu-devel] [PULL 00/32] Misc changes for 2017-09-22 Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 01/32] virtio-serial: add enable_backend callback Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 02/32] kvm: drop wrong assertion creating problems with pflash Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 03/32] memory: avoid a name clash with access macro Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 04/32] atomic: update documentation Paolo Bonzini
2017-09-21 23:16 ` Paolo Bonzini [this message]
2017-09-21 23:16 ` [Qemu-devel] [PULL 06/32] exec: Explicitly export target AS from address_space_translate_internal Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 07/32] memory: Open code FlatView rendering Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 08/32] memory: Move FlatView allocation to a helper Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 09/32] memory: Move AddressSpaceDispatch from AddressSpace to FlatView Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 10/32] memory: Remove AddressSpace pointer from AddressSpaceDispatch Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 11/32] memory: Switch memory from using AddressSpace to FlatView Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 12/32] memory: Cleanup after switching " Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 13/32] memory: Rename mem_begin/mem_commit/mem_add helpers Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 14/32] memory: Store physical root MR in FlatView Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 15/32] memory: Alloc dispatch tree where topology is generared Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 16/32] memory: Move address_space_update_ioeventfds Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 17/32] memory: Share FlatView's and dispatch trees between address spaces Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 18/32] memory: Do not allocate FlatView in address_space_init Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 19/32] memory: Rework "info mtree" to print flat views and dispatch trees Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 20/32] memory: Get rid of address_space_init_shareable Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 21/32] memory: Create FlatView directly Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 22/32] memory: trace FlatView creation and destruction Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 23/32] memory: seek FlatView sharing candidates among children subregions Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 24/32] memory: Share special empty FlatView Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 25/32] scsi, file-posix: add support for persistent reservation management Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 26/32] scsi: build qemu-pr-helper Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 27/32] scsi: add multipath support to qemu-pr-helper Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 28/32] scsi: add persistent reservation manager using qemu-pr-helper Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 29/32] chardev: new qemu_chr_be_update_read_handlers() Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 30/32] chardev: add Chardev.gcontext field Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 31/32] chardev: use per-dev context for io_add_watch_poll Paolo Bonzini
2017-09-21 23:16 ` [Qemu-devel] [PULL 32/32] chardev: remove context in chr_update_read_handler Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1506035800-30509-6-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).